Performance analysis for security is needed more than ever
Performance issues don't demo well. So, like superheros, performance analysis don't get slaps on the back and promotions for averting disasters. Even at Netflix, where top engineers get paid top dollar, "it took years to get perf. timing logs in".
Typically, those who control priorities don't have direct personal incentive to allocate time for "frivolities" even though hackers use differences in timings to break security mechanisms.
Thus, in 2024, the two biggest bombshell security announcements involved analysis by those who bothered to analyze performance at low levels.
___________________________
Analyzing timings is a well-known hacker technique.
Apple's "unfixable" Silicon Chip Flaw
A video from Low Level Coding describes how researchers discovered the logic flow by noticing when it takes longer to do things one way vs. another as the basis for speculative execution from another process ("side channel").
This means that there will be more need for performance analysts to validate implementation of requirements for "constant time architecture" where a function take the same time to perform a security task, regardless of outcome.
XZ SSH Linux
gave the vulverability a CVSS score of 10 out of 10 (the most severe possible).
Specifically, a trojan was planted in the LZMZ compression algorithm of utilities for XZ compressed file formats used on Linux operating systems (Debian). Kubernetes also makes use of the utility.
My hero, Andres Freund (not a security researcher at Microsoft), discovered the vulnerability after he dug into why ssh took just a half-second more time when newer (not stable) versions of XZ utilities are installed.
ThePrimeTime channel on YouTube has a one-hour video featuring security researcher @LowLevelLearning's explainer video.
On his OpenWall post, Andres called his discovery "acidental" because he was actually doing regression tests of Postgres database upgrades. He was on this podcast.
All too common root cause
An illustrated explanation is provided by Security Research Thomas Roccia's tweet (as @fr0gger_) shown on Theo's YouTube video described how hackers social-engineered (shamed) the maintainer to transfer maintainer status.
Recommended by LinkedIn
This APT (Advanced Persistent Threat) supply-chain attack was not caught by automated scanners because the back door was not stored in github but injected by test code that compromised the linker using sophisticated ("genius") obfuscation techniques.
Rob Mensching's blog "A Micrososm of the interactions in Open Source projects" traces the exchange of email how the original maintainer burns out on the "unpaid hobby project”, and only the attacker offers to help (so attacker inherits trust built up by the original maintainer)".
Damien Miller noted (as @djm on Mastodon cybervillians) that the discovery is "nearest of near mises. No system caught this. It was luck and individual heroics."
https://explore.tidelift.com/upstream laments that such a situation is all too common, as illustrated by this famous meme at https://xkcd.com/2347/
Additional info:
Statistics sought from performance/capacity runs